The Entire VR Industry in One Little Email

I had a chance to catch up with Oculus’ Nate Mitchell at GDC where I asked him about privacy in VR. Oculus has delegated the design and maintenance of their privacy policy to their parent company of Facebook so that Oculus can focus on providing the best VR experiences and growing the VR ecosystem. Mitchell acknowledges that there are “a lot of potential pitfalls over the future of VR and AR around user privacy” because VR has a “double-edged sword” of providing incredibly compelling immersive experiences, but that “used in the wrong way or in the wrong hands, you can be tracked probably more than you would normally expect to be.”

I learned more about the relationship dynamic between Oculus and Facebook in that Oculus isn’t thinking too much about how to use the data gathered from VR for advertising purposes, but the language in Oculus’ privacy policy is being shaped and directed by Facebook who is much more interested in using data gathered from virtual reality for advertising purposes. Mitchell claims that privacy is a top priority for Oculus, but a close reading of their privacy policy indicates it serves the needs of Facebook over consumers.

Mitchell and I also talked about Oculus’ announcement of lowering the price of the Rift + Touch by $200, their twelve new games premiering at GDC, as well as a number of important issues concerning the future of virtual reality. There are a lot of exciting new possibilities that could come from Oculus’ support for WebVR and the Khronos Group’s OpenXR initiative, but we also had a chance to talk about some of the challenges that Oculus has faced this year including some of their tracking regressions and some of the limitations of front-facing camera set ups when it comes to abstractions of embodiment.

There are a lot of complicated issues surrounding privacy in VR, and Oculus has delegated the design and maintenance of their privacy policy to their parent company of Facebook. In Oculus’ letter to Al Franken, they say, “We also take advantage of Facebook’s expertise in other areas, including its large team of privacy and security professionals to help design and maintain privacy and security in our products. These collaborations allow Oculus to focus on what we do best: delivering the absolute best VR products and experiences.”

When I asked Mitchell about Oculus’ stance on privacy in VR. He said, “We are committed to really protecting user privacy. That’s one of our #1 focuses, which is why we have a super detailed privacy policy. And it goes hand-in-hand with that we are committed to being really transparent with users about what generally is being collected, and anything we’re doing with that. So that’s part of the reason why I think we have such a rich privacy policy to begin with. Also being part of Facebook, obviously, helps with that. They have an incredible team dedicated to user privacy, and they’re on the bleeding edge of that. And so that’s been great for us.”

I have to disagree in Mitchell’s assessment that privacy has been one of Oculus’ top priorities. Oculus’ top priority has been to deliver amazing VR experiences, and having a “rich privacy policy” that specifies everything that can be captured and recorded just means that it reflects the values and interests of Facebook. Facebook wants to collect and store as much data as they can, and tie back to a singular identity so they can sell advertising.

On January 11, I sent an email to privacy@oculus.com to “access data associated” with my account, but I never heard anything back from them after two and a half months. If it really was a top priority for Oculus, then I would have expected to have received a response, and that there would be more systems in place for the type of transparency and accountability that is promised within the “Data Access and Deletion” section of their privacy policy.

Oculus is mostly taking a passive approach to privacy in VR where they’re prioritizing the needs and concerns of Facebook, which is reflected in how much data sharing rights are being provided to Facebook. The following is a sampling of data that when combined together could allow Facebook to determine personal identifiable information about you: including your IP address, certain device identifiers that may be unique to your device, your mobile “device’s precise location, which is derived from sources such as the device’s GPS signal and information about nearby WiFi networks and cell towers,” “information about your physical movements,” and “information about your interactions with our Services.” Facebook will know that it’s your VR headset, where you’re located, and different actions that you’re taking from capturing everything you’re doing in VR and correlating it with your identity even if you’re anonymously interacting within the context of a VR experience. Once eye tracking and other technologies that can determine facial expressions are added, there will be even more biometric data that could be able definitively identify you or whomever is using your VR headset.

Their privacy policy contains an open-ended statement about recording communications that could potentially allow Facebook to record and store all VoIP conversations: “When you post, share or communicate with other Oculus users on our Services, we receive and store those communications and information associated with them, such as the date a post was created.” Oculus denies in their letter to Al Franken that they’re recording conversations by saying, “VoIP communications are not being recorded. We do not store the content of these communications beyond the temporary caching necessary to deliver these communications to people who could be in different parts of the world.” But it’s unclear as to whether or not the privacy policy as it’s written would prevent Facebook from starting to record conversations at any time.

“On January 11, I sent an email to privacy@oculus.com to “access data associated” with my account, but I never heard anything back from them after two and a half months. If it really was a top priority for Oculus, then I would have expected to have received a response, and that there would be more systems in place for the type of transparency and accountability that is promised within the “Data Access and Deletion” section of their privacy policy.”

Since we are putting privacy in VR on trial here again in an OP-ED piece (and again focusing only on FB/Oculus) can we please do the same for HTC and other companies? Again, there is little to no evidence that companies outside the US with the exception of those in Europe with having significant value on privacy and collection of data compared to the US and even FB does a better job likely than those since it’s held to a higher standard. However, you can’t make hay with a Chinese or Taiwanese company the way you can with FB because they are just going to blow you off. Let’s keep this point in mind and hold ALL companies to a common standard for VR… and investigate them equally.

benz145

Kent is not singling out FB alone, that’s just whom this article happens to be about. Nowhere in it does he say that FB is the only company that needs to consider the long term implications of privacy and VR.

I’d also recommend checking out the list of episodes he links to at the end of the article for a lot more great discussion on the topic.

This goes way beyond just Facebook; Kent has been doing great work in this area by making sure this conversation is happening and not just letting the industry leave it as an afterthought.

PK

I agree a company based in Taiwan need to be looked at closely as well, but to me it’s very clear that Facebook deserves extra attention since they’re still at the forefront of social media. Nate for his part is very knowledgeable and probably would come off better if how he delivered his talking points as well as his freeform human dialogue didn’t always feel like a marketing team making a sales pitch.

NooYawker

SHOCKING!!!

wowgivemeabreak

So HTC/Valve push advertising on the Vive and basically nothing written about here other than mentioning it and how it will work. Meanwhile something negative towards Oculus gets a 3 page article on it.

Hivemind9000

Advertising and protection of privacy are two different topics – this article is about one of them. If HTC/Vive start advertising intrusively or inappropriately, the users will move away from their platform (advertising is generally done as part of some quid-pro-quo with the user, generally the user gets content for free in return). Collection and commercial use of private information is much more insidious as it can often be done without the conscious knowledge of the participant.

I don’t think Kent is picking on Oculus in favor of HTC/Vive. Facebook is in the business of connecting private information with advertising, as that is where their revenue comes from. They are also behind one of the biggest VR platforms. If their privacy policy is corrupt or insufficient, then it doesn’t really matter what the rest of the VR platform providers do. Industry leaders generally set the norm for those that follow, so it’s a good place to focus the efforts for getting better privacy standards in VR.

NooYawker

1. Pushing ads and siphoning your private data are two different things, even though they often go hand in hand.
2. It’s HTC Viveport not steamVR.

Foreign Devil

Trump just passed legislation allowing ISP’s to sell your browsing history and activity to anyone. I’d think that is a bigger invasion of privacy than info about your head movements in VR.

Hivemind9000

Yes, but this is a VR site. You can read articles about the rest of reality somewhere else.

Foreign Devil

Right. Virtual Reality, Virtual Problems.

PK

I don’t understand how you have this attitude with Trump’s approach to privacy. If he’s in office for a second term he’ll be able to demand an incredible amount of data from Facebook if we don’t take action now.

Farnborough

Thanks for this article! Oculus/FB’s passive approach to privacy is far from enough!